wordpress theme Archives - Pritect Network

This won’t be a typical full disclosure post. I will release that after sufficient time has passed to allow users to upgrade. The most I will say now is that logged in users had access to more than they should have. If your site does not have additional untrusted users this is not a major issue for you. Though everyone should upgrade immediately.

On 2/10/2016 I discovered a potential security issue with Elegant Themes Divi theme. Since I am not a customer of theirs I had some issues getting in touch with someone to disclose the information to, but after a few emails and a Twitter exchange I was able to convey the information.

In the interim, Elegant Themes had Securi do a complete code analysis to check for further issues and apparently they did not discover anything further than I already had.

On 2/17/2016 Elegant Themes released updated versions and contacted their customer list to tell them to upgrade. I haven’t seen the exact email sent.

I believe a customer of theirs tweeted out about the issue. I was going to wait to post this until Elegant Themes had a chance to do their own release.

I have not seen the updated code, but based on the description received it sounds like the issue should be resolved.

Affected Versions

Divi < 2.6.4
Diviv (legacy) < 2.3.4
Divi Builder < 1.2.4
Extra < 1.2.4
Bloom < 1.1.1
Monarch < 1.2.7

The ThemeBlvd theme framework doesn’t properly authenticate if a user is able to commit specific actions. We uncovered two specific vulnerabilities in their product and notified the vendor. This release was made after the vendor notified us a fix was released.

The first could be used to damage a WordPress site and possibly could be used for much more.

/** * Clear set of options. Hooked to "admin_init". * * @since 2.3.0 */ function themeblvd_clear_options() { if ( isset( $_POST['themeblvd_clear___options'] ) ) { $option_id = $_POST['themeblvd_clear___options']; delete_option( $option_id ); add_settings_error( $option_id , 'clear_defaults', __( 'Options cleared from database.', 'themeblvd' ), 'themeblvd-error error fade' ); } }

This code doesn’t authenticate the user in any way, so it allows any user to delete an arbitrary option from the wp_options table.

The second vulnerability allows a user to set any of their user_meta data to ‘true’. Which could be leveraged for additional access.
function themeblvd_disable_nag() {

global $current_user;

if ( isset( $_GET[‘tb_nag_ignore’] ) ) {
add_user_meta( $current_user->ID, $_GET[‘tb_nag_ignore’], ‘true’, true );
}
}

I notified the author Jason Bobich on 11/2/2014. The first issue was fixed around 11/26/2014 and the second around 12/9/2014.

Themes Affected

WP Jump Start (version 1.2.4)
Alyeska (version 3.1.4)
Akita (version 2.1.4)
Arcadian Responsive (version 2.0.5)
Swagger (version 2.1.4)
Commodore (version 3.0.2)
Barely Corporate (version 4.1.4)

Plugins Affected

Theme Blvd Shortcodes (version 1.5.2)
Theme Blvd Widget Areas (version 1.2.2)
Theme Blvd Layout Builder (version 2.0.1)
Theme Blvd Sliders (version 1.2.3)

Pritect Network

Tag: wordpress theme

Elegant Themes Divi/Divi Builder/Extra/Bloom/Monarch Security Vulnerability

Affected Versions

ThemeBlvd theme framework vulnerability